The optimistic case for IoT security standards

With the second major IoT-based DDoS attack having passed through the news cycle, everyone wants to know what can be done to stop future attacks. With the quantity of internet-enabled devices increasing at an accelerated rate for the foreseeable future, we know the answer to that question has to be answered immediately.

Large US tech companies and the US Department of Commerce are meeting about this now. Is this a good sign?

The conspiracy-theorists say it’s a bad sign. It is historically true, after all, that large internet businesses attempt to control the flow of online communications (Microsoft with IE, Google with their search results and Chrome, Facebook with their algorithms and the corn-maze you have to go through before leaving the site, Amazon with commerce, Apple with in-app purchases). It’s also true that government agencies want control, or at least unfettered visibility, into anything and everything they can get their hands on. So if this conspiracy were real, one of the things you’d expect to see is those organizations banding together “for the good of the people.” And that’s what they’re doing.

On the other hand, this could be a good sign. Taking for a moment a position of pure self-interest on the part of large internet businesses, is it good that foreign nations can disable the Internet at-will? No, because it disrupts your business, whether it’s Google, Twitter, and Facebook charging for ads, Netflix charging to watch movies, or Amazon and Apple charging for commerce. From the same assumption of self-interest, is it in the US government’s interest that foreign nations can disable the US Internet at-will? No, it undermines US sovereignty and ability to operate, similar to blocking all interstate highways. So if these disparate organizations happen to agree on this issue, what would be the logical step? To meet together to cooperate on this issue of mutual importance. And that’s what they’re doing.

To me, this doesn’t prove either theory correct, but it does demonstrate that we’re not forced to conclude there is something nefarious brewing. We should be wary of that possibility, but it’s not a foregone conclusion.

Indeed, there are many international internet standards which are not controlled by any large company, nor the US government. Examples: SMTP (the protocol used by email), HTTP (the protocol used by web browsers), TLS (the protocol that wraps both SMTP and HTTP in a shroud of secure privacy), and DNS (the protocol attacked in this latest event, but which was difficult to stop precisely because no one company or government controls it).

Furthermore, there already are international standards bodies governing other aspects of these same devices that were abused for nefarious purpose. All of those devices were certified by UL and CE for example, which ensure that devices don’t emit harmful or interfering electromagnetic radiation, and that you can’t cause a fire by poking a wire into the device even by accident.

So we have precedent that IoT devices can be regulated, and that internet protocols can be standardized, with mechanisms that are open, transparent, and international, without a single company or nation in control. These are the components needed to enforce default-secure behavior for IoT devices.

It won’t be easy. The details of regulation will be tricky to agree upon. There will continue to be legacy devices that we need a policy about. (Some have already been recalled.) New attacks will be discovered, which requires regulation to change quickly to keep up, and one thing regulation is certainly not good at, is “changing quickly.”

And, the conspiracy-theorists are correct, that all things being equal, large organizations in both public and private sectors will attempt to gain control in any way possible, and we must not allow the clear and present danger of DDoS attack to scare us into giving them undue power.

But we should hold an optimistic view, that control-hungry organizations represent a design-constraint for a solution, rather than an impossible obstacle preventing any solution.